Supply chain chaos, old bugs, smarter phishing, and botnets everywhere — here’s what broke the internet this week.

Ghost CMS flaw CVE-2026-26980 enabled attacks on 700+ sites, injecting ClickFix malware through fake CAPTCHA pages.

AI-powered NDR improved security accuracy from 26% to 95%, reducing false positives and accelerating SOC threat response.

Lazarus deployed RemotePE against crypto firms using memory-only malware, enabling stealthy long-term financial intrusions.

TrapDoor spread 34 malicious packages across npm, PyPI, and Crates.io, stealing developer credentials and enabling persistence.

Claude Mythos found thousands of vulnerabilities, exposing patching limits as AI-driven exploit discovery accelerates cyber risk.

Anthropic uncovered 10,000 vulnerabilities through Project Glasswing, driving urgent patching efforts and stronger cyber ...

Packagist packages hid malicious package.json scripts, enabling Linux binary execution during installs and workflows.

Drupal CVE-2026-9082 exploitation hit 15,000 attempts across 65 countries, forcing urgent patches by May 27, 2026.

Microsoft has disclosed that a privilege escalation and a denial-of-service flaw in Defender has come under active ...

The U.S. Department of Justice (DoJ) on Thursday announced the arrest of a Canadian man in connection with allegedly ...

Megalodon pushed 5,718 malicious GitHub commits in 6 hours, exposing CI secrets and cloud credentials at scale.